Skip to content

Commit

Permalink
WEBUI-1498: Restrict object-src to 'none' in CSP
Browse files Browse the repository at this point in the history
  • Loading branch information
alokhyland committed Dec 19, 2024
1 parent 852f47a commit badfee1
Showing 1 changed file with 37 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ limitations under the License.
<%@ page import="org.nuxeo.runtime.api.Framework"%>
<%@ page import="org.nuxeo.ecm.core.api.repository.RepositoryManager"%>
<%@ page import="org.nuxeo.common.utils.UserAgentMatcher"%>
<%@ page import="javax.servlet.http.HttpServletResponse" %>


<%
String ua = request.getHeader("user-agent");
Expand All @@ -36,7 +38,42 @@ limitations under the License.
} else {
baseUrl = context + "/repo/" + repository + "/ui/";
}
HttpServletResponse resp = (HttpServletResponse) pageContext.getResponse();
String NX_NONCE_VALUE = UUID.randomUUID().toString();
String updatedScriptSrcStr = "'self' 'strict-dynamic' 'nonce-" + NX_NONCE_VALUE + "'";
String cspHeader = resp.getHeader("Content-Security-Policy");
String newCspHeader = "";
boolean isExistingCspHeaderEmpty = false;
if(cspHeader == null || cspHeader.trim().isEmpty()) {
isExistingCspHeaderEmpty = true;
cspHeader = "";
}
String scriptSrc = "";
String directive = null;
String[] directives = cspHeader.split(";");
boolean foundScriptSrcMatch = false;
boolean foundObjectSrcMatch = false;
for (int i = 0; i < directives.length; i++) {
directive = directives[i].trim();
if (directive.startsWith("script-src ")) {
foundScriptSrcMatch = true;
directive = directive.trim() + " " + updatedScriptSrcStr;
directives[i] = directive;
}
if (directive.startsWith("object-src ")) {
foundObjectSrcMatch = true;
}
}
if(foundScriptSrcMatch) {
newCspHeader = String.join(";", directives);
}
else {
newCspHeader = cspHeader.trim() + (isExistingCspHeaderEmpty ? " script-src " : "; script-src ") + updatedScriptSrcStr;
}
if(!foundObjectSrcMatch){
newCspHeader = newCspHeader.trim() + "; object-src 'none'";
}
resp.setHeader("Content-Security-Policy", newCspHeader);
%>

<!DOCTYPE html>
Expand All @@ -46,7 +83,6 @@ limitations under the License.
<meta charset="UTF-8">
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<%= NX_NONCE_VALUE %>' 'strict-dynamic'; object-src 'none'">

<title><%= Framework.getProperty(Environment.PRODUCT_NAME) %></title>

Expand Down

0 comments on commit badfee1

Please sign in to comment.